On Thursday, House and Senate Democrats issued letters requesting investigations into the cyberattack on Home Depot, one of the largest retail hacks in history, which may have left vulnerable the financial information of tens of millions of American consumers.
Senate Democrats also requested an investigation into the recent breach of Apple’s iCloud breach that led to the widespread sharing of hundreds of nude photos stolen from celebrities.
The investigations come as members of Congress push for new laws to protect consumers from data theft.
In a letter to Rep. Darrell Issa (R-Calif.), chairman of the House Oversight and Government Reform Committee, Rep. Elijah Cummings (D-Md.) requested a bipartisan hearing on Thursday to examine the Home Depot data breach.
“Cybersecurity threats are ongoing challenges for both the federal government and the private sector.” Rep. Cummings wrote. “For these reasons, I believe an investigation of the data security breach at Home Depot will help the Committee learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.”
In the letter to his Republican colleague, Rep. Cummings acknowledged the repeated sessions held over the security of the HeathCare.gov website. Incidentally, Rep. Issa counts Home Depot among his top financial donors, with a contribution of $10,000 in this cycle alone.
In a separate letter to Home Depot CEO Francis Blake, two Democrat senators on Thursday requested a briefing from the company’s information security officials, citing a recent article by computer security journalist Brian Krebs, who wrote that multiple banks are seeing evidence that credit and debit cards allegedly stolen during the Home Depot breach are for sale on the online black market.
Krebs also suggested that the hackers responsible may be tied to several other high-profile successful data breaches—including those of Target, Sally Beauty and P.F. Chang’s—as stolen cards went up for sale in the same black-market store. More recent reports about the exact nature of the attack, however, suggest otherwise.
Speaking with Bloomberg Businessweek, Dan Guido, chief executive officer of Trail of Bits, an information security company, said there were distinct differences in the data breaches of Home Depot and Target, which indicates that separate groups may be responsible.
The letter to Home Depot’s CEO, which said the company has “had time to examine the cause and impact of the attack,” was signed by Senators John D. Rockefeller IV (D-W.V.), chairman of Committee on Commerce, Science and Transportation; and Claire McCaskill (D-Mo), chairwoman of the Committee on Consumer Protection, Product Safety, and Insurance.
“We have previously requested and received briefings from other breached entities in the recent past,” the Senators’ letter said. “In this regard, we ask that Home Depot’s information-security officials provide a briefing to Committee staff regarding your company’s investigation and latest findings on the circumstances that may have permitted unauthorized access to sensitive customer information.”
Finally, in a third letter, sent to Apple’s Tim Cook over the so-called “Celebgate” hack, which affected dozens of A-list celebrities, including actress Jennifer Lawrence and model Kate Upton, Sens. Rockefeller and McCaskill requested similar information surrounding the breach of iCloud.
While reports of unauthorized access to iCloud accounts have been sensationalize and have largely focused on its impact on high-profile celebrities, the incident may be another example of potential security vulnerabilities as illustrated in a string of recent data breaches that have put millions of American consumers at risk.
Sens. Rockefeller and McCaskill used the letters to Home Depot and Apple to call for a national data breach notification law.
“We have been advocates for data security and breach notification legislation that would better protect consumers and improve corporate responsibility,” the Senators said.
Home Depot, who is rumored to have up to $105 million in cyber-insurance, has offered a year of free credit monitoring and identity repair assistance to its customers. It has not, however, identified publicly how many consumers may have been affected by the breach.
Illustration by Jason Reed